b'               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     EPA Does Not\n                     Adequately Follow\n                     National Security Information\n                     Classification Standards\n                     Report No. 14-P-0017               November 15, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:\t                                Chris Baughman\n                                                     Hilda Canes Gardu\xc3\xb1o\n                                                     Eric Lewis\n                                                     Ryan Patterson\n                                                     Byron Shumate\n\n\n\n\nAbbreviations\n\nCFR             Code of Federal Regulations\nEO              Executive Order\nEPA             U.S. Environmental Protection Agency\nISOO            Information Security Oversight Office\nNHSRC           National Homeland Security Research Center\nNSI             National security information\nOARM            Office of Administration and Resources Management\nOCA             Original classification authority\nOHS             Office of Homeland Security\nOIG             Office of Inspector General\nSMD             Security Management Division\n\n\n\n Hotline \t                                      Suggestions for Audits or Evaluations\n To report fraud, waste or abuse, contact       To make suggestions for audits or evaluations, \n\n us through one of the following methods:       contact us through one of the following methods:\n\n\n email:    OIG_Hotline@epa.gov                  email:    OIG_WEBCOMMENTS@epa.gov.\n phone:    1-888-546-8740                       phone:    1-202-566-2391\n fax:      1-202-566-2599                       fax:      1-202-566-2599\n online:   http://www.epa.gov/oig/hotline.htm   online:   http://www.epa.gov/oig/contact.html#Full_Info\n\n write:\t   EPA Inspector General Hotline        write:    EPA Inspector General \n\n           1200 Pennsylvania Avenue, NW \n                 1200 Pennsylvania Avenue, NW\n           Mailcode 2431T                                 Mailcode 2410T \n\n           Washington, DC 20460\n                          Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency                                                 14-P-0017\n\n                        Office of Inspector General                                                   November 15, 2013\n\n\n\n\n\n                        At a Glance\n\nWhy We Did This Review              EPA Does Not Adequately Follow National\nWe evaluated the                    Security Information Classification Standards\nU.S. Environmental Protection\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) classified          What We Found\nnational security information\npractices as required by            Our review of both originally and derivatively \t           EPA\xe2\x80\x99s national security\nSection 6(b)(1) of the              classified documents generated by three offices            information could be\nReducing Over-Classification                                                                   improperly classified\n                                    found that the EPA does not sufficiently follow            without improved\nAct. In this report, we reviewed    national security information classification standards.    procedures.\na sample of documents\nclassified by the EPA to            Of the two originally classified documents we reviewed, portions of one needed\ndetermine the appropriateness       different classification levels and the other contained numerical data that was\nof the classification decisions     incorrectly transferred from another document. The National Homeland Security\nand markings.                       Research Center in the Office of Research and Development agreed to correct\n                                    the documents. We also noted that the approved classification guide and the\nInformation may be classified       three guides under review had narrow scopes, which limits their usefulness. The\nso that it is protected against     three proposed guides have been in the approval process for 12 months when it\nunauthorized disclosure in the      must take no more than 30 days. Additionally, the declassification process\ninterest of national security.      needs clarity since the one pending declassification request has also been in the\nSuch information must be            approval process for almost a year when it should take no more than 60 days.\nappropriately marked to\nindicate its classified status.     None of the 19 derivatively classified documents we reviewed completely met\nOriginal classification means       the requirements of Executive Order 13526 and the implementing regulations.\nthe initial determination to        The derivative classifiers did not include some required information and did not\nclassify is made by an original     correctly transfer information from the source documents. As a result, those who\nclassification authority, and for   later access the information may not know how to protect it or be able to\nthe EPA the Administrator           properly identify or use it as a source for their own derivative decision. A lack of\nserves as the sole original         training for derivative classifiers and incorrect information in the annual refresher\nclassification authority.           training given to all clearance holders contributed to the classification problems\nOthers can classify information     noted. The EPA had not promptly updated guidance. Not all cleared employees\nderivatively on the basis of        who needed an element relating to designation and management of classified\nclassified source documents or      information as part of their performance evaluation had such an element.\nclassification guides.\n                                     Recommendations and Planned Corrective Actions\nThis report addresses the\nfollowing EPA theme:\n                                    We recommend that the Assistant Administrator for the Office of Administration\n                                    and Resources Management assist EPA organizations to correct originally and\n\xef\x82\xb7 Embracing EPA as a\n                                    derivatively classified documents as needed, improve training, and develop a\n  high performing organization.\n                                    process to address declassification requests. We recommend that the Assistant\nFor further information,            Administrator for the Office of Research and Development submit a single,\ncontact our public affairs office   unclassified classification guide for approval. The action officials identified\nat (202) 566-2391.                  corrective actions for all the recommendations, and with one exception,\n                                    identified milestones to complete the actions. We recommend that the Associate\nThe full report is at:              Administrator for the Office of Homeland Security, working with others, develop\nwww.epa.gov/oig/reports/2014/       a process for approving classification guides since its reviews were delaying the\n20131115-14-P-0017.pdf              process. This recommendation is unresolved because the action official did not\n                                    concur; resolution will begin immediately upon issuance of the report.\n\x0c                         UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                      WASHINGTON, D.C. 20460\n\n\n                                                                                            THE INSPECTOR GENERAL\n\n\n\n\n                                            November 15, 2013\n\nMEMORANDUM\n\nSUBJECT:\t EPA Does Not Adequately Follow National Security Information\n          Classification Standards\n          Report No. 14-P-0017\n\nFROM: \t        Arthur A. Elkins Jr.\n\nTO:\t           Craig E. Hooks, Assistant Administrator\n               Office of Administration and Resources Management\n\n               Juan Reyes, Acting Associate Administrator \n\n               Office of Homeland Security \n\n\n               Lek Kadeli, Principal Deputy Assistant Administrator \n\n               Office of Research and Development \n\n\nThis is our report on the subject review conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems\nthe OIG has identified and corrective actions the OIG recommends. This report represents the opinion of\nthe OIG and does not necessarily represent the final EPA position. Final determinations on matters in\nthis report will be made by EPA managers in accordance with established audit resolution procedures.\n\nAction Required\n\nIn accordance with EPA Manual 2750, resolution on recommendation 4 should begin immediately upon\nissuance of the report. We are requesting a meeting of the action officials from the Office of Homeland\nSecurity and the Office of Administration and Resources Management with the Assistant Inspector\nGeneral for the Office of Program Evaluation, to start the resolution process and attempt to obtain\nresolution. If resolution is still not reached within 30 days, these action officials are required to complete\nand submit a dispute-resolution request to the Chief Financial Officer.\n\nRegarding recommendation 1, you are required to provide a written response to this report within\n60 calendar days with a completion date for the planned corrective actions. Your response will be posted\non the OIG\xe2\x80\x99s public website, along with our memorandum commenting on your response. Your\nresponse should be provided as an Adobe PDF file that complies with the accessibility requirements of\nSection 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data\nthat you do not want to be released to the public; if your response contains such data, you should\nidentify the data for redaction or removal along with corresponding justification. We will post this report\nto our website at http://www.epa.gov/oig.\n\x0cIf you or your staff have any questions regarding this report, please contact Carolyn Copper, \n\nAssistant Inspector General for Program Evaluation, at (202) 566-0829 or copper.carolyn@epa.gov; or \n\nEric Lewis, Product Line Director, Special Program Reviews, at (202) 566-2664 or lewis.eric@epa.gov. \n\n\x0cEPA Does Not Adequately Follow National                                                                                      14-P-0017\nSecurity Information Classification Standards\n\n\n                                   Table of Contents \n\n\nChapters\n   1     Introduction ........................................................................................................      1\n\n\n                 Purpose .......................................................................................................    1     \n\n                 Background .................................................................................................       1     \n\n                 Scope and Methodology ..............................................................................               4     \n\n\n   2     Original Classification Processes Need Improvement ..................................                                      6\n\n\n                 Portions of the Scientific Report Need Different Classification Levels .......                                     6\n\n                 Originally Classified Security Classification Guide Had Errors ...................                                 7\n\n                 Other Security Classification Guides Not Yet Approved .............................                                8\n\n                 EPA Needs Timelier Declassification .........................................................                      9\n\n                 Requirements for Original Classifier Training Were Mostly Met ..................                                   9\n\n                 Conclusion...................................................................................................     10     \n\n                 Recommendations ......................................................................................            10     \n\n                 Agency Comments and OIG Evaluation .....................................................                          11 \n\n\n   3     Derivative Classification Decisions Did Not Comply With Requirements ....                                                 12\n\n\n                 Required Information Was Missing or Incorrect .........................................                           12 \n\n                 Information Was Incorrectly Transferred ....................................................                      14 \n\n                 NSI Program Team Found and Reported Problems With \n\n                    Derivative Decisions ..............................................................................            15 \n\n                 Derivative Classifier Training Not Implemented ..........................................                         16 \n\n                 Annual Refresher Training Lacked Required Elements ..............................                                 16 \n\n                 Not All Classifiers Were Evaluated on NSI Requirements ..........................                                 17 \n\n                 Conclusion...................................................................................................     18     \n\n                 Recommendations ......................................................................................            18     \n\n                 Agency Comments and OIG Evaluation .....................................................                          19 \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                         20\n\n\n\n\nAppendices\n   A     EPA OIG Reports Address Section 6(b) of Public Law 111-258 ...................                                            22\n\n   B     Errors in the Derivative Documents ................................................................                       23\n\n   C     Agency Response to Draft Report ...................................................................                       24 \n\n   D     Email From the Information Security Oversight Office .................................                                    30 \n\n   E     Distribution ........................................................................................................     32\n\n\x0c                                            Chapter 1\n\n                                            Introduction\nPurpose\n                 This report complies with the Reducing Over-Classification Act (Public Law\n                 111-258 of October 7, 2010). Section 6(b)(1) of the act requires the Inspector\n                 General of each agency with an officer or employee who is authorized to make\n                 original classifications, in consultation with the Information Security Oversight\n                 Office (ISOO):1\n\n                          (A) to assess whether applicable classification policies, procedures,\n                          rules, and regulations have been adopted, followed, and effectively\n                          administered within such department, agency, or component; and\n                          (B) to identify policies, procedures, rules, regulations, or\n                          management practices that may be contributing to persistent\n                          misclassification of material within such department, agency or\n                          component.\n\n                 The law requires that Inspectors General complete two evaluations by\n                 September 30, 2016. The initial evaluation must be completed no later than\n                 September 30, 2013. This report, along with two prior U.S. Environmental\n                 Protection Agency (EPA) Office of Inspector General (OIG) reports, constitute\n                 the initial evaluation. Appendix A addresses how our three reports satisfy the\n                 requirements of the Reducing Over-Classification Act.\n\n                 The specific objective for this report was to review a representative sample of\n                 EPA\xe2\x80\x99s originally and derivatively classified document to determine:\n\n                      1.\t Whether appropriate classification markings were applied in a manner\n                          consistent with applicable classification policies, procedures, rules and\n                          regulations.\n                      2.\t The appropriateness of the original and derivative classification decisions\n                          to identify policies, procedures or management practices that may be\n                          contributing to misclassification of material.\n\nBackground\n                 Executive orders (EOs) since 1940 have directed governmentwide information\n                 classification standards and procedures. Such programs must comply with the\n                 December 2009 EO 13526, \xe2\x80\x9cClassified National Security Information,\xe2\x80\x9d which\n\n1\n ISOO is responsible to the President for policy and oversight of the governmentwide security classification system\nand the National Industrial Security Program. ISOO is a component of the National Archives and Records\nAdministration and receives policy and program guidance from the National Security Council.\n\n\n14-P-0017                                                                                                         1\n\x0c            establishes the current principles, policies and procedures for classification. The\n            EO prescribes a uniform system for classifying, safeguarding and declassifying\n            national security information (NSI). EO 13526 expresses the President\xe2\x80\x99s belief\n            that this nation\xe2\x80\x99s progress depends on the free flow of information, both within\n            the government and to the American people. Accordingly, protecting information\n            critical to national security and demonstrating a commitment to open government\n            through accurate and accountable application of classification standards and\n            routine, secure and effective declassification are equally important priorities.\n\n            Certain Information Must Be Protected\n\n            Pursuant to EO 13526 and its implementing regulations in the Code of Federal\n            Regulations (CFR), i.e., 32 CFR Part 2001, classified information that is\n            determined to require protection against unauthorized disclosure to prevent\n            damage to national security must be marked appropriately to indicate its classified\n            status. Such information must meet the following standards for classification:\n\n               \xef\x82\xb7\t The information is owned, controlled or produced by or for the\n                  U.S. government.\n               \xef\x82\xb7 The information falls within one or more of the eight categories of\n                  information (reasons for classification) described in EO 13526 Section 1.4.\n               \xef\x82\xb7\t The unauthorized disclosure of the information reasonably could be \n\n                  expected to result in damage to the national security. \n\n\n            The three U.S. classification levels, and correlating-expected damage to\n            U.S. security if the information is disclosed inappropriately, are identified below.\n            Except as otherwise provided by statute, no other terms shall be used to identify\n            U.S. classified information.\n\n               \xef\x82\xb7    Top Secret: Shall be applied to information, the unauthorized disclosure\n                    of which reasonably could be expected to cause exceptionally grave\n                    damage to the national security.\n               \xef\x82\xb7    Secret: Shall be applied to information, the unauthorized disclosure of\n                    which reasonably could be expected to cause serious damage to the\n                    national security.\n               \xef\x82\xb7    Confidential: Shall be applied to information, the unauthorized disclosure\n                    of which reasonably could be expected to cause damage to the national\n                    security.\n\n            Following September 11, 2001, Congress was concerned that information was\n            being classified at levels such that it could not be disseminated within the federal\n            government or properly shared with state, local, tribal and private sector entities\n            when necessary. Accordingly, the Reducing Over-Classification Act places an\n            emphasis on avoiding \xe2\x80\x9cover-classification,\xe2\x80\x9d which is the designation of information\n            as classified when the information does not meet one or more of the standards for\n            classification in EO 13526. Pursuant to EO 13526, classified information shall be\n\n\n\n14-P-0017                                                                                          2\n\x0c            made accessible to the maximum extent possible to authorized holders. EO 13526\n            further states that if significant doubt exists about the need to classify information it\n            should not be classified; if significant doubt exists about the appropriate level of\n            classification, information shall be classified at the lower level.\n\n            Authorized holders of information (including those outside the classifying\n            organization) who, in good faith, believe that its classification status is improper\n            are encouraged and expected to challenge the classification status of information.\n            According to 32 CFR 2001.14(b)(3), an agency shall provide an initial written\n            response to a challenge within 60 days.\n\n            Information May Be Classified by an Original Classification Authority\n\n            Original classification means an initial determination that information requires\n            protection against unauthorized disclosure in the interest of national security.\n            Information may be originally classified only by original classification authorities\n            (OCAs). OCAs are individuals authorized in writing\xe2\x80\x94either by the President,\n            Vice President, agency heads or other officials designated by the President\xe2\x80\x94to\n            initially classify information. The EPA Administrator serves as the EPA\xe2\x80\x99s sole\n            OCA; since 2004 the Administrators have originally classified eight documents.\n            When originally classifying information, the OCA must be able to identify and\n            describe the damage to national security that would be caused by its unauthorized\n            disclosure. According to 32 CFR 2001.71(c), OCAs must receive detailed training\n            on proper classification and declassification (with an emphasis on avoiding over-\n            classification) before originally classifying information, and at least once per\n            calendar year after that.\n\n            Information May Be Classified Derivatively\n\n            All personnel with an appropriate security clearance can perform derivative\n            classification unless an agency limits this activity to specific personnel.\n            Information may be derivatively classified from a source document or\n            classification guide. According to 32 CFR 2001.71(d), all personnel who apply\n            derivative classification markings must receive training on the proper application\n            principles of EO 13526 prior to derivatively classifying information and at least\n            once every 2 years thereafter. The regulations describe the elements that must be\n            present in the training for persons who apply derivative classification markings.\n\n            According to the regulations, security classification guides help ensure\n            classification decisions are consistent and uniform. An OCA must approve each\n            guide. The guide must state precisely the elements of information to be protected,\n            as well as which classification level applies to each element of information, and,\n            when useful, specify the elements of information that are unclassified. In addition,\n            agencies must incorporate original classification decisions into security\n            classification guides as soon as practicable. Further, the regulations encourage\n            those preparing guides to consult users of guides for input. Section 1.3(e) of\n\n\n\n14-P-0017                                                                                          3\n\x0c            EO 13526 provides for exceptional cases, which are when someone who does not\n            have original classification authority originates information that they believe\n            requires classification. Such information shall be promptly provided to an agency\n            with appropriate subject matter interest and classification authority, which must\n            decide within 30 days on whether to classify the information.\n\n            EPA Has a Program to Classify and Protect NSI\n\n            EPA has had a program to safeguard classified NSI since 1972, although ISOO\n            considers the amount of classification activity to be minute. EPA creates,\n            receives, handles and stores classified material because of its homeland security,\n            emergency response and continuity missions. The Assistant Administrator for the\n            Office of Administration and Resources Management (OARM) has been\n            delegated overall authority for the NSI program. The Assistant Administrator\n            may, and has, delegated much of this authority to the OARM Security\n            Management Division (SMD) within the OARM Office of Administration. The\n            SMD created an NSI program team to manage the program. In addition, all major\n            EPA offices assigned at least one employee as an NSI representative to coordinate\n            the program at their organization. The EPA\xe2\x80\x99s National Security Information\n            Handbook identifies the official policies, standards and procedures for EPA\n            employees and nonfederal personnel who have access to classified NSI.\n\n            Although the EPA has a process for making original classification decisions,\n            including approving security classification guides, there are no timelines\n            associated with the process. The key steps in the current approval process are:\n\n               \xef\x82\xb7   The EPA program office creates and marks the document. \n\n               \xef\x82\xb7   The SMD performs an administrative review. \n\n               \xef\x82\xb7   The Office of Homeland Security (OHS) within the Office of the \n\n                   Administrator evaluates the classification levels assigned.\n               \xef\x82\xb7   The EPA Administrator makes an original classification decision.\n\nScope and Methodology\n            We performed our review from February through September 2013. We conducted\n            our work in accordance with generally accepted government auditing standards\n            issued by the Comptroller General of the United States. Those standards require\n            that we plan and perform the evaluation to obtain sufficient, appropriate evidence\n            to provide a reasonable basis for our findings and conclusions based on our\n            objectives. We also reviewed internal controls over program operations and\n            compliance with applicable laws and regulations. The evidence obtained provides\n            a reasonable basis for our findings and conclusions based on our evaluation\n            objectives.\n\n            For this phase of our initial evaluation under the Reducing Over-Classification\n            Act, we reviewed the two most recent original classification decisions, both dated\n\n\n14-P-0017                                                                                     4\n\x0c            May 2012, as well as 19 of the derivatively classified documents (excluding\n            emails) authored by the EPA between January 2010 and December 2012. At\n            ISOO\xe2\x80\x99s direction, we narrowed our review to classified documents created after\n            the December 2009 issuance of EO 13526. The derivative decisions were made\n            by three EPA organizations: OHS, the National Homeland Security Research\n            Center (NHSRC) in the Office of Research and Development, and the OIG (made\n            by the OIG\xe2\x80\x99s Office of Investigations). In addition, we:\n\n               \xef\x82\xb7   Examined the results of the fundamental classification guidance review.\n               \xef\x82\xb7   Examined the results of self-inspection reporting.\n               \xef\x82\xb7   Examined applicable Standard Form 311, \xe2\x80\x9cAgency Security Classification\n                   Management Program Data.\xe2\x80\x9d\n               \xef\x82\xb7   Reviewed relevant policies, regulations and related reports.\n               \xef\x82\xb7   Reviewed the NSI annual refresher training to determine whether it was\n                   consistent with NSI guidance.\n               \xef\x82\xb7   Compared the derivatively classified documents with the corresponding\n                   source material when available.\n               \xef\x82\xb7   Interviewed EPA\xe2\x80\x99s sole original classification authority and four\n                   derivative classifiers.\n               \xef\x82\xb7   Interviewed staff responsible for security training and related policy\n                   development and implementation, including staff from SMD, NHSRC\n                   and OHS.\n\n            As directed by the Reducing Over-Classification Act, we consulted with ISOO\n            and coordinated throughout the evaluation with other Inspector General offices\n            with the intent of ensuring that our evaluations followed a consistent methodology\n            to allow for cross-agency comparisons. We also used an evaluation guide that was\n            prepared by a working group of participating Inspectors General under the\n            auspices of the Council of the Inspectors General on Integrity and Efficiency.\n            To discern whether agency policies and practices were consistent with EO 13526\n            and the regulations, we used the following from the evaluation guide:\n\n               \xef\x82\xb7   Methodology for determining the appropriateness of an original\n                   classification decision.\n               \xef\x82\xb7   Original classification authority interview coverage.\n               \xef\x82\xb7   Methodology for determining appropriateness of a derivative classification\n                   decision.\n               \xef\x82\xb7   Derivative classifier interview coverage.\n\n\n\n\n14-P-0017                                                                                   5\n\x0c                                  Chapter 2\n\n Original Classification Processes Need Improvement \n\n            The EPA needs to improve several activities related to the original classification\n            of information. We reviewed two originally classified documents that were\n            prepared by NHSRC: a scientific report and a security classification guide for that\n            scientific report. We found that portions of the scientific report needed different\n            classification levels, and that the guide contained incorrect instructions and\n            numerical data that was incorrectly transferred from another document. NHSRC\n            agreed to correct the documents. We also noted that the approved classification\n            guide, as well as three guides under review (but not yet originally classified),\n            covered information previously classified by the Administrator, which limits their\n            usefulness. Further, the three proposed guides have been in the approval process\n            for a year when approvals must, by executive order, take no more than 30 days. In\n            addition, an earlier document originally classified by the EPA will reach its\n            declassification date in 2014. The declassification process needs clarity since a\n            pending declassification request has been in the approval process for almost a\n            year when it should, according to federal regulation, take no more than 60 days.\n            This has delayed making currently classified information more accessible.\n\nPortions of the Scientific Report Need Different Classification Levels\n            The originally classified scientific report had classification inconsistencies and\n            errors. We brought these matters to the attention of the NHSRC staff, who offered\n            satisfactory responses and agreed to correct the document. As a result, the scientific\n            report may need to go through the original classification process again.\n\n            We found that different classification levels were assigned to the same\n            information within the scientific report. Four narrative portions marked\n            \xe2\x80\x9cConfidential\xe2\x80\x9d contained information that was marked \xe2\x80\x9cSecret\xe2\x80\x9d in tables and\n            figures. Another paragraph marked \xe2\x80\x9cSecret\xe2\x80\x9d contained information marked\n            \xe2\x80\x9cUnclassified\xe2\x80\x9d elsewhere. NHSRC staff agreed portions should be consistently\n            marked and plan to appropriately revise the document by increasing certain\n            markings to a higher classification level.\n\n            We also identified portions of the scientific report that seemed to be over-\n            classified. The report acknowledged there were doubts as to whether the release\n            of some of the report data would constitute a threat to national security but the\n            information was nonetheless classified. As noted in chapter 1, EO 13526 states\n            that if there is doubt, information should be unclassified or classified at a lower\n            level. In response to our questions, NHSRC offered satisfactory explanations for\n            classifying the information and explained the threat that the release of such\n            information would pose.\n\n\n14-P-0017                                                                                         6\n\x0c                   One of the most effective ways to protect classified information is through\n                   applying standard classification markings and dissemination control markings.\n                   Dissemination controls are control markings that identify the expansion or\n                   limitation on the distribution of information. These markings are in addition to\n                   and separate from the levels of classification defined by EO 13526. We\n                   determined the scientific report was marked correctly, with one minor formatting\n                   exception. Dissemination controls within portion marks must be preceded by a\n                   double slash; however, some portion marks in this document had dissemination\n                   controls preceded by a single slash. For instance, a classified paragraph was\n                   incorrectly portion marked as U/FOUO rather than as U//FOUO.2 Having one\n                   versus two slashes can change the meaning.\n\nOriginally Classified Security Classification Guide Had Errors\n                   The security classification guide for the scientific report gave incorrect\n                   instructions to those using it and contained numerical data different than that in\n                   the scientific report. It also had some portion marks with dissemination controls\n                   preceded by a single slash instead of two slashes. This is the May 2012 security\n                   classification guide to which EPA referred in the June 2012 report on its\n                   fundamental classification guidance review.\n\n                   The security classification guide provided incorrect instructions to would-be\n                   derivative classifiers:\n\n                        \xef\x82\xb7\t Title 32 CFR 2001.22(b) requires derivative classifiers to be identified by\n                           name and position or by personal identifier. However, the guide only\n                           instructs derivative classifiers to supply their names.\n                        \xef\x82\xb7\t Title 32 CFR 2001.22(e) instructs derivative classifiers to carry forward\n                           the declassification instructions from the source document. However, the\n                           guide did not specify this and instead instructs the derivative classifier to\n                           declassify \xe2\x80\x9c25 years from the date of document creation.\xe2\x80\x9d The guide did\n                           not clarify if the document creation date was in reference to the guide\n                           itself or the derivative document based on the guide.\n\n                   The security classification guide included classified numerical data that did not\n                   match the source data from the scientific report. The numerical data were\n                   classified at the same level in both documents. However, we believe the\n                   inconsistency in the data may confuse those using the guide. In response to our\n                   questions, NHSRC staff agreed to correct the numerical data taken from tables in\n                   the scientific report. As a result, the classification guide may need to go through\n                   the original classification process again unless it is superseded, as discussed\n                   below.\n\n\n\n2\n    U = Unclassified. FOUO = For official use only.\n\n\n14-P-0017                                                                                                  7\n\x0cOther Security Classification Guides Not Yet Approved\n            Three other security classification guides have been in the process for an original\n            classification decision since August 2012. According to the EO, classification\n            guides will facilitate the proper and uniform derivative classification of\n            information. Although NHSRC submitted an initial guide that was broad in scope,\n            OHS wanted the guide to be narrow in scope, i.e., pertain to a single document\n            originally classified by the Administrator. EPA clearance holders need broader\n            guidance to discern what information the EPA should classify. With such a\n            classification guide approved, NHSRC will not need to process so many\n            documents as original classification decisions. This would shorten the\n            classification process by removing two steps. The omitted steps would be\n            (1) obtaining the Administrator\xe2\x80\x99s approval and (2) actions needed because of such\n            approval.\n\n            Classification Guide With a Broader Scope Would Be More Useful\n\n            NHSRC staff initially prepared a broad security classification guide that would\n            encompass both past and possible future work. They designed the guide to help\n            NHSRC staff understand what must be classified and what can be made publicly\n            available. NHSRC considers this part of its risk assessment on each new project.\n            According to a NHSRC staff member, the OHS required NHSRC to replace the\n            broad guide with a narrowly-scoped guide that addressed only one of the original\n            classification decisions by the EPA Administrator. NHSRC submitted three\n            additional guides, narrowly scoped along the lines of original classification\n            decisions. This resulted in four security classification guides narrowly scoped to\n            reflect the original classification decisions already made. The narrow scope of these\n            guides is consistent with information included in the 2012 annual refresher training.\n            As noted in chapter 3, the training described a security classification guide as an\n            aggregation of items from original classification decisions made by an agency or\n            department. However, this description of classification guides does not completely\n            reflect all of the requirements in the regulations at 32 CFR 2001.15(b).\n\n            According to an OHS senior staff member, the EPA needs narrowly scoped\n            security classification guides because the originally classified documents mixed\n            classified with unclassified information in the same portions. Instead, the\n            classified material should have been in separate portions or an appendix.\n            Thus, a derivative classifier would clearly understand what must be protected.\n\n            Based on the requirements in the regulations, a single guide could address both\n            past original classification decisions and future NHSRC work. NHSRC, not OHS,\n            would be using the guide since it would describe the type of information NHSRC\n            might encounter or create during their work. With a broad security classification\n            guide, NHSRC staff could classify scientific reports without going through the\n            original classification process. This would shorten the classification process by\n            reducing the number of steps. As discussed in chapter 3, SMD oversees derivative\n\n\n14-P-0017                                                                                      8\n\x0c            classification decisions by EPA staff, so it can monitor the NHSRC decisions for\n            the concerns identified by OHS staff.\n\n            Delays Issuing Other Guides\n\n            NHSRC staff provided three security classification guides to SMD and OHS in\n            July and August 2012. Following SMD approval, the guides were sent to the OHS\n            no later than September 2012, where they remain. Despite inquiries from NHSRC\n            officials, NHSRC has not received feedback from OHS on the status of the\n            security classification guides. As noted in Chapter 1, EO 13526 requires a\n            classification decision within 30 days for exceptional cases, which need an\n            original classification decision. According to an OHS senior intelligence advisor,\n            the guides were classified working papers, which may be retained for 180 days\n            before finalization. When told by OIG staff that 180 days had been exhausted, the\n            staff member responded that the review process was still incomplete and the\n            guides were not ready to be processed. The SMD staff had no explanation for the\n            OHS delay. They had also asked OHS for status information, but did not receive\n            an adequate response.\n\nEPA Needs Timelier Declassification\n            EPA needs to declassify information in a timelier manner. NHSRC staff\n            challenged the classification of an EPA originally classified document in July\n            2012 by recommending that it be declassified. When a classification decision is\n            challenged, the regulations require an initial response within 60 days. SMD staff\n            completed their review of the challenge and forwarded it to OHS no later than\n            September 2012; the action has remained in OHS. SMD was unable to get update\n            information from OHS. When asked about the delay, a senior OHS staff member\n            said this was the first declassification action processed by the EPA and extra time\n            was necessary to complete the action properly. Since another originally classified\n            document will reach its declassification date in 2014, the declassification process\n            needs to work more quickly. To ensure the free flow of information, according to\n            EO 13526, routine, secure and effective declassification is an important priority.\n\nRequirements for Original Classifier Training Were Mostly Met\n            The former Administrator received training for original classifiers in 2011 and\n            2012. As noted in chapter 1, the regulations require that the annual training for\n            OCAs must include proper classification and declassification, and emphasize\n            avoiding over-classification. We found that the 2012 training materials failed to\n            cover declassification, one of the required training elements. We were unable to\n            evaluate the adequacy of the 2011 training because that training material was not\n            available.\n\n            We believe the former Administrator demonstrated adequate knowledge of\n            classification management procedures. During her 4 years in the position, the\n\n\n14-P-0017                                                                                       9\n\x0c            former Administrator made only three original classification decisions, all related\n            to the same scientific report. Given her infrequent use of her original\n            classification authority, she relied on assistance from EPA experts to help her\n            make classification decisions. However, the former Administrator was aware of\n            the importance of avoiding over-classification.\n\nConclusion\n            Because of the OIG\xe2\x80\x99s questions about the originally classified documents we\n            reviewed, NHSRC agreed to make corrections and offered reasonable\n            explanations for its classification decisions. As a result, these documents may\n            need to undergo another original classification decision. In addition, the EPA\n            needs to improve several activities related to the original classification of\n            information, including the process and speed with which (1) security\n            classification guides are approved so information can be derivatively classified in\n            a proper and uniform manner and (2) originally classified documents are\n            declassified so the information may flow freely as stated in the EO 13526. Also,\n            NHSRC needs a classification guide that will cover both past original\n            classification decisions and future work.\n\nRecommendations\n            We recommend that the Assistant Administrator for the Office of Administration\n            and Resources Management:\n\n               1. Work with the Office of Research and Development to:\n\n                       a.\t Correct the marking errors in the two originally classified\n                           documents reviewed by the OIG (the scientific report and security\n                           classification guide).\n                       b.\t Change the classification levels for portions of the scientific report.\n                       c.\t Correct the security classification guide.\n\n               2.\t Provide annual OCA training to the Administrator that complies with the\n                   regulatory requirements.\n\n               3.\t Develop a process for declassifying, within 60 days, information classified\n                   by EPA.\n\n            We recommend that the Associate Administrator for the Office of Homeland\n            Security:\n\n               4.\t Work with the Assistant Administrator for OARM to develop a process\n                   for approving classification guides within the 30 days specified in\n                   EO 13526.\n\n\n\n14-P-0017                                                                                      10\n\x0c                 We recommend that the Assistant Administrator for the Office of Research and\n                 Development:\n\n                     5.\t Submit to the NSI program team a single, unclassified classification guide\n                         that covers both past and future EPA scientific research to replace the\n                         multiple guides.\n\nAgency Comments and OIG Evaluation\n                 On behalf of the three action officials, the Assistant Administrator for OARM\n                 provided official comments on our draft report. Agency comments are in\n                 Appendix C. Appendix D is \xe2\x80\x9cAttachment 2\xe2\x80\x9d cited in the agency comments.\n\n                 The agency\xe2\x80\x99s comments included suggested wording changes, which we\n                 incorporated as appropriate. The agency action officials concurred with\n                 recommendations 1, 2 and 5. For recommendation 3 (which was\n                 recommendation 4 in the draft report), an alternative action was proposed.\n                 We considered the alternative action acceptable and revised the recommendation\n                 accordingly. The response included timeframes for completing the actions on\n                 recommendations 2, 3 and 5, so these recommendations are resolved and open\n                 pending completion of the agreed-to actions. A specific date for completing the\n                 corrective action on recommendation 1 was not given; this recommendation is\n                 unresolved until it is provided.\n\n                 The Office of Homeland Security did not concur with recommendation 4\n                 (which was recommendation 3 in the draft report) regarding a process to approve\n                 classification guides. To support its position, OHS indicated it is the EPA\xe2\x80\x99s\n                 position, supported by ISOO, that classification guides are not required. However,\n                 responding to one of our prior reports,3 the Deputy Administrator stated in a\n                 memorandum to the Inspector General dated December 22, 2011, that the EPA\n                 would prepare classification guides. Below is an excerpt from that memorandum.\n                 Recommendation 4 is unresolved. The audit resolution process starts immediately\n                 upon report issuance.\n\n                         In consultation with the Office of Homeland Security, the Office of\n                         Administration and Resources Management and the Office of\n                         General Counsel, we have determined that these recommendations\n                         [to approve and distribute classification guides] are helpful in light\n                         of evolving information-sharing initiatives for classified EPA\n                         products. The agency will implement them beginning with an\n                         initial classification guide that addresses materials most recently\n                         originally classified. . . .\n\n\n\n3\n EPA Should Prepare and Distribute Security Classification Guides (Report No. 11-P-0722 issued September 29,\n2011).\n\n\n14-P-0017                                                                                                  11\n\x0c                                   Chapter 3\n\n              Derivative Classification Decisions \n\n              Did Not Comply With Requirements \n\n            None of the 19 derivatively classified documents the OIG reviewed completely\n            met the requirements of EO 13526 and 32 CFR Part 2001. The derivative\n            classifiers did not include some required information and did not correctly\n            transfer information from the source documents. As a result, those who later\n            access the information may not know how to protect the information or be able to\n            properly identify or use it as a source for their own derivative decision. During\n            fiscal year 2012, the EPA NSI program team started reviewing derivative\n            classification decisions and reported to ISOO problems with derivative decisions\n            similar to the problems we found. We identified a lack of training for derivative\n            classifiers and incorrect information in the annual refresher training given to all\n            clearance holders as management practices that may be contributing to\n            misclassification of material or incorrect markings. EPA had not updated the\n            guidance it provided to cleared staff members. Not all cleared employees who\n            needed one had an element relating to designation and management of classified\n            information as part of their performance evaluation.\n\nRequired Information Was Missing or Incorrect\n            All 19 derivatively classified documents reviewed either lacked required\n            information and/or included incorrect information. The regulations require that\n            each derivative document identify who classified the document, the source\n            document(s) from which the classified information was derived, and a\n            declassification date or instructions. The information appears in what is called a\n            classification authority block (referred to as the classification block in the NSI\n            Handbook). The NSI Handbook instructs that every classified document must\n            contain a classification block in the lower-left corner on the front cover, title page,\n            or first page. Besides the classification block, classified documents must have\n            proper overall markings (e.g., the classification level at the top and bottom of each\n            page), portion markings, and dissemination control and handling markings.\n            We considered these and other requirements when reviewing the derivative\n            documents. Appendix B is a summary of the number of derivative documents\n            reviewed, along with the key information missing.\n\n            Classification Authority Block\n\n            Required information related to derivative classifier identification, source\n            documents and declassification date was not always present in EPA derivative\n            documents. Six of the 19 derivative documents had no classification authority\n            block. For these six instances, we had to ask the EPA staff responsible for the\n\n\n14-P-0017                                                                                       12\n\x0c            document to identify the derivative classifier and the source documents. Seven of\n            the 13 documents with a classification block did not identify the derivative\n            classifier. Prior to the June 2010 effective date for EO 13526, regulations did not\n            require derivative classifier identification in the classification block. Five of these\n            seven instances occurred during a 19-month period between the EO effective date\n            and the January 2012 revision of the EPA NSI Handbook, which was updated to\n            include the derivative classifier identification requirement. Agency guidance\n            lagging behind the policy changes may have resulted in derivative classifiers not\n            identifying themselves in the classification block. Thus, derivative classifiers\n            relying on EPA guidance may have been unaware of the new requirement.\n\n            List of Sources\n\n            Of the 13 derivative documents with a classification block, eight indicated they\n            were derived from multiple sources. When there are multiple sources, the\n            derivative classifier must include a listing of all the source materials on, or attached\n            to, each derivatively classified document. None of the eight documents had a\n            source list on or attached to it. For seven of the eight documents, someone other\n            than the derivative classifier prepared the list after the fact because the derivative\n            classifier had left the EPA. The classifier for the eighth document had the list but it\n            was not with the document. Also, one of the derivative documents that identified\n            only one source document was actually derived from multiple sources.\n\n            Overall Page Markings\n\n            Eleven documents had page marking errors. Most were relatively minor, like a\n            misplaced page banner. Four were more serious\xe2\x80\x94one because the classification\n            level was incorrect and three because a dissemination control marking was missing.\n\n            Portion Markings\n\n            Eighteen of the 19 documents had errors in their portion markings. In total,\n            one-third of the pages had one or more portion marking errors. Some were minor\n            errors, like having only one slash instead of the required two slashes between\n            marking categories. Others were more serious, such as not marking some portions\n            of the document. Without proper portion marks, those with access to the\n            document will not know what level of classification and safeguarding applies to\n            the document. Also, if they want to use the information in a derivatively classified\n            document they will not know how to correctly mark it.\n\n            Date\n\n            Ten of the 19 derivative documents had no date. Of the nine with a date, three\n            showed only the month and year, not a specific date. A date is needed so that it\n            can be cited when describing the source of a derivative document, as required by\n            the regulations.\n\n\n\n14-P-0017                                                                                        13\n\x0cInformation Was Incorrectly Transferred\n            Derivative classifiers did not always correctly transfer information from the\n            source documents to the derivative document. We compared 18 of the 19\n            derivative classified documents to their identified source documents and found\n            that all 18 documents had mistakes in transferring information. These mistakes\n            ranged from portion-marking errors to document-level issues. The EPA\n            organization responsible for the derivative documents was unable to provide the\n            source document for one of the sample items. Appendix B identifies the number\n            of documents with transfer problems.\n\n            Cited Source Was an Inappropriate Basis for a Derivative Decision\n\n            We found EPA derivatively classifying EPA-originated research on a basis not\n            allowed by the regulations. Three of the derivative documents were reports on\n            scientific studies that EPA performed for another federal agency. As their source,\n            these three derivative documents cited an instructional email from an outside\n            agency. This instructional email contained vague classification instructions (which\n            themselves were classified) and did not meet the requirements in the regulations to\n            be a security classification guide. The EPA derivative classifier told us he could not\n            verify the email author\xe2\x80\x99s identity. Since the EPA performed the research but did not\n            have an appropriate basis to derivatively classify the results, we concluded that the\n            EPA should have originally classified these research reports.\n\n            Proposal Reviews Were Over-Classified\n\n            Three derivative documents marked \xe2\x80\x9cSecret\xe2\x80\x9d were reviews of proposed scientific\n            studies prepared for an outside agency. One of the reviews contained only an\n            unclassified proposal title, a document control number and the name of the\n            reviewer but was still marked \xe2\x80\x9cSecret.\xe2\x80\x9d Another of these reviews was of a\n            proposal that had no portion markings. However, none of the review comments\n            contained excerpts from this proposal. Similarly, for the third review, none of the\n            reviewer\xe2\x80\x99s comments included classified portions in the proposal. The form used\n            for these reviews came from the outside organization and had a dropdown field to\n            select the overall classification level. The EPA reviewer could not recall if he had\n            selected the classification level or if the form came with the level already selected.\n\n            Transfer Errors or Omissions\n\n            Of the 18 derivative documents we compared to source document(s), the\n            derivative classifiers did not properly transfer the declassification date for\n            13 documents. The derivative classifier must carry forward the instructions on the\n            \xe2\x80\x9cDeclassify On\xe2\x80\x9d line from the source document to the derivative document. If\n            there was more than one source document, the \xe2\x80\x9cDeclassify On\xe2\x80\x9d line must reflect\n            the longest duration of any of its sources. However, the derivative classifier\n            incorrectly transferred the declassification date for seven documents. For six other\n\n\n14-P-0017                                                                                      14\n\x0c            documents, the declassification date from the appropriate source was not\n            transferred because the derivative document did not have a classification block.\n\n            Three of the derivative documents contained classified portions that did not come\n            from the identified sources. For these, we concluded there were one or more\n            unidentified source documents. For example, one portion mentioned activity in\n            2011 even though none of the sources were dated later than 2010. Another portion\n            without a source in this same document was marked \xe2\x80\x9cSecret\xe2\x80\x9d; the NSI\n            representative told us this was a mistake and the derivative classifier (who is no\n            longer with EPA) was being over-zealous.\n\n            There were multiple errors with another document derived from three sources.\n            One portion from the first source was over-classified in the derivative document.\n            Parts of the derivative document came from a second source, which had no portion\n            marks, so we could not determine whether it was under- or over-classified. Portions\n            that came from the third source were under-classified; the information classified in\n            the third source as \xe2\x80\x9cSecret\xe2\x80\x9d was marked \xe2\x80\x9cConfidential\xe2\x80\x9d in the derivative document.\n            The third source was an EPA-generated research report that, according to the\n            derivative classifier, should have been classified as \xe2\x80\x9cConfidential\xe2\x80\x9d even though it\n            was marked \xe2\x80\x9cSecret.\xe2\x80\x9d\n\n NSI Program Team Found and Reported Problems With\n Derivative Decisions\n            As part of its 2012 self-inspection, the EPA reported to ISOO problems with\n            derivative decisions similar to the problems we found. During fiscal year 2012, the\n            EPA NSI program team started reviewing derivative classification decisions. Their\n            reviews were to ensure that: (1) classification markings are carried over and applied\n            appropriately, (2) the overall classification is applied throughout each document,\n            and (3) the derivative classification block contains the applicable information to\n            include identifying sources. They reviewed 56 derivative classification decisions\xe2\x80\x94\n            approximately 25 percent of EPA\xe2\x80\x99s derivative decisions at the time. In the\n            November 2012 report to ISOO, the EPA reported that none of the sampled\n            decisions included a list of sources used when derived from multiple sources.\n\n            During fiscal year 2013, the NSI program team reviewed 26 recent derivative\n            decisions. They found the multiple-source issue persisted as the multiple-source\n            list was not present in 14 documents. In addition, they found:\n\n               \xef\x82\xb7   An incorrect declassification date in 16 documents. \n\n               \xef\x82\xb7   Portion marking errors in 13 documents. \n\n               \xef\x82\xb7   Overall classification marking errors in six documents. \n\n               \xef\x82\xb7   The Classification block missing in six documents. \n\n               \xef\x82\xb7   The \xe2\x80\x9cclassified by\xe2\x80\x9d line missing in four documents. \n\n               \xef\x82\xb7   Working paper marking errors in four documents. \n\n\n\n\n14-P-0017                                                                                      15\n\x0cDerivative Classifier Training Not Implemented\n            The EPA has not met the requirements in the regulations for training the\n            derivative classifiers. The NSI program team proposed additional training for\n            derivative classifiers but has not yet implemented the training.\n\n            EPA does not offer derivative classifier training. As noted in chapter 1, the\n            training must emphasize avoiding over-classification and cover certain\n            information. Without this required training at least every 2 years, the regulations\n            require the EPA to suspend the authority of the individual to apply derivative\n            classification markings.\n\n            We found EPA derivative classifiers had gaps in their knowledge of derivative\n            classification procedures. None of the four derivative classifiers we interviewed\n            succeeded in answering all of our knowledge test questions. In addition, some of\n            the subjects\xe2\x80\x99 knowledge gaps appeared to lead to marking errors in their\n            documents. For example, when asked if a list of source documents was kept with\n            documents derived from multiple sources, one respondent told us the list was kept\n            separate. This respondent created one of the documents derived from multiple\n            sources that did not have a source list with the document.\n\n            Although the EPA does not offer training for derivative classifiers, it is available\n            elsewhere. An example is the Web-based Classification Management and the\n            IC [Intelligence Community] Markings System course offered by the Office of the\n            Director of National Intelligence. This course meets the minimum national\n            training requirements for derivative classifiers established in EO 13526 and the\n            regulations.\n\n            In its 2012 annual self-inspection report, the EPA informed ISOO it had\n            identified a need for additional training related to marking derivative documents,\n            identifying multiple sources where applicable, and marking requirements in the\n            electronic environment (specifically as it relates to email on the Homeland Secure\n            Data Network). It told ISOO that clearance holders would be provided with\n            derivative classifier training as part of its mandatory 2012 NSI annual refresher\n            training. However, as discussed below, we found this was not done. The EPA also\n            told ISOO it would make stand-alone derivative classifier training available to\n            clearance holders during fiscal year 2013 and ensure that all clearance holders are\n            trained. However, this has not yet been done.\n\nAnnual Refresher Training Lacked Required Elements\n            The regulations require that annual refresher training be given to all cleared\n            employees who create, process or handle classified information. However, the\n            training EPA provided in 2011 and 2012 was inconsistent with some aspects of\n            the regulations. It also did not cover all the information needed by derivative\n            classifiers, so it did not fulfill the requirements for derivative classifier training.\n\n\n14-P-0017                                                                                             16\n\x0c            The 2011 annual refresher training did not cover seven of the nine required\n            elements for derivative classifiers, and the 2012 training did not cover four of\n            these elements. The four elements required for derivative classifiers not covered\n            by either the 2011 or 2012 refresher training concerned classification prohibitions\n            and limitations, sanctions, classification challenges and information sharing.\n            In addition, neither the 2011 nor 2012 training emphasized avoiding\n            over-classification.\n\n            The annual refresher training in 2011 included information inconsistent with the\n            regulations. For example, the training omitted that a derivative classifier may make\n            a derivative classification decision based on a security classification guide. Instead,\n            the training only mentioned derivatively classifying an item based on a classified\n            original document. This lack of a reference to security classification guides limited\n            what source a derivative classifier might use to classify information.\n\n            The annual refresher training in 2012 also included information that was\n            inconsistent with the regulations. The training mistakenly instructed that:\n\n               \xef\x82\xb7\t The classification block of a derivatively classified document should\n                  include a \xe2\x80\x9cReason\xe2\x80\x9d line; the regulations do not require a \xe2\x80\x9cReason\xe2\x80\x9d line.\n               \xef\x82\xb7\t When the \xe2\x80\x9cDerived from\xe2\x80\x9d line indicates multiple sources, the list of these\n                  sources must be attached; the regulations allow the derivative classifier the\n                  option of incorporating the list in the document.\n               \xef\x82\xb7\t A security classification guide is an aggregation of items from an originally\n                  classified document; the regulations require a security classification guide to\n                  identify elements of information that must be protected without stipulating\n                  that the information must already be in an originally classified document.\xc2\xa0\xc2\xa0\n\n            Also, the training slides had no examples of overall markings or portion marking\n            with more than one category, such as "SECRET//NOFORN" or "(S//NF)."\n\nNot All Classifiers Were Evaluated on NSI Requirements\n            Not all cleared employees who needed it had an element or item relating to\n            designation and management of classified information in their performance\n            evaluation. EO 13526 requires such an element or item to be evaluated in the\n            rating for personnel whose duties significantly involve handling classified\n            information, including those who regularly apply derivative classification\n            markings. We reviewed the performance evaluations\xe2\x80\x94specifically, the critical\n            element related to national security\xe2\x80\x94for SMD staff and the derivative classifiers\n            we interviewed. The performance evaluations for three of the four derivative\n            classifiers interviewed included a critical element related to NSI activities. The\n            fourth derivative classifier, who was also a NSI representative, did not have a\n            critical element related to NSI-related responsibilities.\n\n\n\n\n14-P-0017                                                                                      17\n\x0c            EO 13526, 32 CFR 2001 and the NSI Handbook all provide that sanctions can be\n            imposed for violating NSI requirements. Further, the Reducing Over-\n            Classification Act authorizes agencies under Chapter 45 of Title 5, U.S. Code, to\n            consider an employee\xe2\x80\x99s consistent and proper classification of information when\n            making cash awards; however, this assumes that the Office of Management and\n            Budget is again allowing discretionary monetary awards.\n\nConclusion\n            EO 13526 requires the EPA to protect information critical to our nation\xe2\x80\x99s security.\n            The errors we found in the 19 derivatively classified documents make it harder for\n            those with access to each document to know what level of classification and\n            safeguarding applies to it. During fiscal year 2012, the EPA NSI program team\n            started reviewing derivative classification decisions to ensure they complied with\n            EO 13526 and the regulations. They found deficiencies in ancillary issues not\n            directly affecting the appropriateness of the derivative classification decision, and\n            the deficiencies persisted into fiscal year 2013. Although the NSI program team\n            identified lack of derivative classifier training as a weakness, the team has not\n            provided the required training to date. Moreover, as long as incorrect information\n            is presented in the annual refresher training given to all clearance holders, EPA\n            lacks assurance that its cleared staff are aware of their responsibilities. This is\n            occurring even though employees may be subject to appropriate sanctions if they\n            violate any provisions of the EO or the regulations.\n\nRecommendations\n            We recommend that the Assistant Administrator for the Office of Administration\n            and Resources Management:\n\n               6.\t Assist the appropriate EPA organizations in bringing the derivative\n                   documents reviewed by the OIG into compliance with EO 13526 and\n                   32 CFR Part 2001. For example:\n\n                       a.\t Attach or incorporate a source document list if derived from\n                           multiple sources.\n                       b.\t Correct the classification blocks to include the name and position\n                           or personal identifier of the derivative classifier.\n                       c.\t Declassify proposal reviews and other documents deemed\n                           over-classified.\n                       d.\t Convert derivatively classified documents to original\n                           classifications.\n                       e.\t Ensure consistency in portion marks from sources applied to\n                           original documents.\n\n               7.\t Provide NSI annual refresher training that is consistent with regulatory\n                   requirements.\n\n\n14-P-0017                                                                                     18\n\x0c               8.\t Enforce the requirements in 32 CFR 2001.71(d) regarding derivative\n                   classifier training.\n\n               9.\t Remind the heads of EPA organizations that their staff who hold a security\n                   clearance should have included in their performance evaluation a critical\n                   element or item on the designation and management of classified\n                   information if the individual is a security manager or specialist or has\n                   duties that significantly involve creating or handling classified information\n                   (e.g., NSI representatives).\n\nAgency Comments and OIG Evaluation\n            The action official concurred with recommendations 6, 7 and 8. For\n            recommendation 9, an alternative action was proposed. We considered the\n            alternative acceptable, but did not revise the recommendation since OARM is still\n            the action official. The response included timeframes for completing these\n            actions. Thus, these recommendations are resolved and open pending completion\n            of the agreed-to actions.\n\n\n\n\n14-P-0017                                                                                    19\n\x0c                            Status of Recommendations and\n                              Potential Monetary Benefits\n\n                                                                                                                          POTENTIAL MONETARY\n                                               RECOMMENDATIONS                                                             BENEFITS (in $000s)\n\n                                                                                                              Planned\n Rec.   Page                                                                                                 Completion   Claimed    Agreed-To\n No.     No.                         Subject                        Status1         Action Official             Date      Amount      Amount\n\n  1      10    Work with the Office of Research and Development       U       Assistant Administrator for\n               to:                                                               Administration and\n                 a. Correct the marking errors in the two                      Resources Management\n                    originally classified documents reviewed by\n                    the OIG (the scientific report and security\n                    classification guide).\n                 b. Change the classification levels for portions\n                    of the scientific report.\xc2\xa0\n                 c. Correct the security classification guide.\n  2      10    Provide annual OCA training to the Administrator       O       Assistant Administrator for     12/30/13\n               that complies with the regulatory requirements.                   Administration and\n                                                                               Resources Management\n\n  3      10    Develop a process for declassifying, within            O       Assistant Administrator for     3/30/14\n               60 days, information classified by EPA.                           Administration and\n                                                                               Resources Management\n\n  4      10    Work with the Assistant Administrator for OARM to      U       Associate Administrator for\n               develop a process for approving classification                    Homeland Security\n               guides within the 30 days specified in EO 13526.\n\n  5      11    Submit to the NSI program team a single,               O        Assistant Administrator for    12/30/13\n               unclassified classification guide that covers both             Research and Development\n               past and future EPA scientific research to replace\n               the multiple guides\n\n  6      18    Assist the appropriate EPA organizations in            O       Assistant Administrator for     9/30/14\n               bringing the derivative documents reviewed by the                 Administration and\n               OIG into compliance with EO 13526 and 32 CFR                    Resources Management\n               Part 2001. For example:\n                 a. Attach or incorporate a source document list\n                    if derived from multiple sources.\n                 b. Correct the classification blocks to include\n                    the name and position or personal identifier\n                    of the derivative classifier.\n                 c. Declassify proposal reviews and other\n                    documents deemed over-classified.\n                 d. Convert derivatively classified documents to\n                    original classifications.\n                 e. Ensure consistency in portion marks from\n                    sources applied to original documents.\n\n  7      18    Provide NSI annual refresher training that is          O       Assistant Administrator for     12/30/13\n               consistent with regulatory requirements.                          Administration and\n                                                                               Resources Management\n\n  8      19    Enforce the requirements in 32 CFR 2001.71(d)          O       Assistant Administrator for     3/30/14\n               regarding derivative classifier training.                         Administration and\n                                                                               Resources Management\n\n\n\n\n14-P-0017                                                                                                                                   20\n\x0c                                                                                                                                  POTENTIAL MONETARY\n                                                     RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                      Planned\n    Rec.    Page                                                                                                     Completion   Claimed    Agreed-To\n    No.      No.                           Subject                           Status1        Action Official             Date      Amount      Amount\n\n     9       19     Remind the heads of EPA organizations that their           O       Assistant Administrator for    12/30/13\n                    staff who hold a security clearance should have                       Administration and\n                    included in their performance evaluation a critical                 Resources Management\n                    element or item on the designation and\n                    management of classified information if the\n                    individual is a security manager or specialist or has\n                    duties that significantly involve creating or handling\n                    classified information (e.g., NSI representatives).\n\n\n\n\n1    O = Recommendation is open with agreed-to corrective actions pending.\n\n     C = Recommendation is closed with all agreed-to actions completed.\n\n     U = Recommendation is unresolved with resolution efforts in progress.\n\n\n\n\n\n14-P-0017                                                                                                                                           21\n\x0c                                                                                          Appendix A\n\n                  EPA OIG Reports Address Section 6(b)\n                         of Public Law 111-258\nSection 6(b) of the Reducing Over-Classification Act (PL 111-258) requires the Inspector\nGeneral of each agency with an officer or employee who is authorized to make original\nclassifications, in consultation with the ISOO, to carry out no less than two evaluations of that\nagency. The first evaluation shall be completed by September 30, 2013, and the second by\nSeptember 30, 2016. The evaluations are to cover the following, with the second evaluation\nbeing a review of the progress made pursuant to the results of the first evaluation:\n\n    \xef\x82\xb7\t Assess whether applicable classification policies, procedures, rules, and regulations have\n       been adopted, followed, and effectively administered within such department, agency, or\n       component.\n    \xef\x82\xb7\t Identify policies, procedures, rules, regulations, or management practices that may be\n       contributing to persistent misclassification of material within such department, agency or\n       component.\n\nIn consultation with ISOO, the Council of the Inspectors General on Integrity and Efficiency\nissued a guide for conducting the initial evaluation under the Reducing Over-Classification Act.\nThe guide\xe2\x80\x99s goal is to ensure that the OIG evaluations meet the above requirements and follow a\nconsistent methodology to allow for cross-agency comparisons. It identified five researchable\nquestions. The table below lists each question and the EPA OIG report that addressed it. Thus,\nwe completed the work required for the first evaluation. We plan to start work on the second\nevaluation during fiscal 2015.\n\n                       Question                                         EPA OIG Report\n1. To what extent has the organization adopted         EPA Should Prepare and Distribute Security\nclassification policies, procedures, rules and         Classification Guides (Report No. 11-P-0722\nregulations?                                           issued September 29, 2011)\n2. To what extent do the organization classification\n                                                       EPA\xe2\x80\x99s National Security Information Program Could\npolicies, procedures, rules and regulations comply\n                                                       Be Improved (Report No. 12-P-0543 issued\nwith existing Federal classification requirements,\n                                                       June 18, 2012)\nguidelines, etc?\n3. To what extent have the organization                EPA\xe2\x80\x99s National Security Information Program Could\nclassification policies, procedures, rules, and        Be Improved (Report No. 12-P-0543 issued\nregulations been effectively followed and              June 18, 2012)\nadministered?\n                                                       EPA Does Not Adequately Follow National Security\n                                                       Information Classification Standards (Report No.\n                                                       14-P-0017 issued November 15, 2013)\n4. To what extent, if any, and in what manner have     EPA Does Not Adequately Follow National Security\ninformation and materials been over-classified         Information Classification Standards (Report No.\nwithin the organization?                               14-P-0017 issued November 15, 2013)\n5. To what extent, if any, and in what manner have\n                                                       EPA\xe2\x80\x99s National Security Information Program Could\npolicies, procedures, rules, regulations, or\n                                                       Be Improved (Report No. 12-P-0543 issued\nmanagement practices contributed to any over-\n                                                       June 18, 2012)\nclassifications?\nSource: OIG analysis.\n\n\n\n\n14-P-0017                                                                                            22\n\x0c                                                                                                       Appendix B\n\n                     Errors in the Derivative Documents\n\n                                                                            Number of Documents\n                                                              OHS             OIG        NHSRC               Total\n                    Description                             (out of 1)4     (out of 7) (Out of 11)         (Out of 19)\n\n      Required Information Was Missing\n\nDocument had no date of origin for the document.\n                                                                 1               2              7                10\n(32 CFR 2001.22(a) and 2001.22(c))\n\nThere was no classification authority block.\n                                                                 0               0              6                6\n(32 CFR 2001.22)\n\nInformation in the classification block was\n                                                                 1               7              5                13\nincomplete or incorrect. (32 CFR 2001.22)\n\nMultiple sources were cited in the classification\n                                                                                                                     5\nblock, but the list of sources was missing.                      0               7              1                8\n(32 CFR 2001.22(c))\n\nPage marking had errors. (32 CFR 2001.21(b))                     0               6              5                11\n\nPortion marking had errors. (32 CFR 2001.21(c))                  0               7             11                18\n\n                 Transfer Errors6\n\nSource was not a proper basis for a derivative\n                                                                 0               0              3                3\ndecision. (32 CFR 2001.22(a) and 2001.22(c))\n\nDocument contained no classified information so\n                                                                 0               0              5                5\nit can be declassified. (EO 13526, Section 3.1)\n\nDeclassification date was not correctly transferred\nfrom the source document(s) to the derivative                    0               7              6                13\ndocument (32 CFR 2001.22(e))\n\nOther information was incorrectly transferred from\n                                                                 0               3              5                8\nthe source document(s). (32 CFR 2001.22)\n\n\n\n\n4\n  \xc2\xa0We were unable to compare the derivative document to the source document.\n\xc2\xa0\n5\n   Only eight of the 19 documents cited multiple sources in the classification block.\n\n6\n   We evaluated 18 of the derivative documents for transfer errors since the source for one of the derivative\n\ndocuments was not available.\n\xc2\xa0\n\n\n14-P-0017                                                                                                                23\n\x0c                                                                                     Appendix C\n\n                   Agency Response to Draft Report\n\n                   UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                WASHINGTON, D.C. 20460\n\n\n\n\n                                          SEP 23 2013\n                                                                                   OFFICE OF\n\n                                                                                 ADMINISTRATION\n\n                                                                                 AND RESOURCES \n\n                                                                                  MANAGEMENT\n\n\n\n\n\nMEMORANDUM\n\nSUBJECT:       Response to Office of Inspector General Draft Report No. OPE-FY13-0009,\n               \xe2\x80\x9cEPA Does Not Sufficiently Follow National Security Information Classification\n               Standards,\xe2\x80\x9d dated September 6, 2013\n\nFROM:          Craig E. Hooks, Assistant Administrator /s/\n\nTO:            Jeffrey Harris, Acting Deputy Assistant Inspector General\n               Office of Program Evaluation\n\nThank you for the opportunity to respond to the issues and recommendations in the subject draft\naudit report. The following is a summary of the agency\xe2\x80\x99s overall position, with an attached table\nof responses to each of the report recommendations (Attachment 1). For those recommendations\nwith which the agency agrees, we have provided intended corrective actions and estimated\ncompletion dates. For report recommendations the agency does not agree with, we have\nexplained our position.\n\nOverall Position\n\nThe agency agrees with recommendations 1, 2 and 5-8. The responsible office, OARM, agrees\nwith the intent of recommendation 9 but proposes another means to address the recommendation.\nThe responsible office, OHS, disagrees with recommendations 3 and 4; OARM proposes an\nalternative for recommendation 4.\n\n\n\n\n14-P-0017                                                                                      24\n\x0cRecommendations for Changes to Draft Report Text\n\nThe report would present a clearer picture of the agency\xe2\x80\x99s classification program if it mentioned\nits small size. Since 2004, the agency has originally classified only eight documents. Our\nderivative classification program is also small. In a 2011 message to the EPA, the Acting\nDirector of the Information Security Oversight Office said, \xe2\x80\x9cEPA only has one OCA; unlike at\nalmost all other agencies, it may not be delegated. Additionally, unlike almost all other agencies,\nit has a very minute amount of classification activity\xe2\x80\x9d (Attachment 2).\n\nThe agency believes the phrase \xe2\x80\x9cflawed numerical data\xe2\x80\x9d (\xe2\x80\x9cAt a Glance\xe2\x80\x9d and p. 7) implies that the\nscientific report has flawed data. The scientific report does not have flawed data, and we\nrecommend that the text be changed to reflect that fact. We agree that the Originally Classified\nSecurity Classification Guide contained two numbers that were incorrectly transferred from the\nsource document.\n\nThe agency recommends revising the OIG finding that the scientific report and classification\nguide, once corrected, needs to go through the original classification process again. ORD\nreported to the OIG one marking error (a \xe2\x80\x9cU//FOUO\xe2\x80\x9d marked paragraph containing one Secret\nfact) which will be corrected. Because the Secret fact was already classified elsewhere in the\nscientific report, the documents may not need to go through the original classification process.\nWe recommend that the documents must be evaluated to determine if they need to go through the\noriginal classification process again.\n\nOARM, ORD and OHS will continue collaborating to strengthen the agency\xe2\x80\x99s classification\nprogram.\n\nIf you have questions regarding OARM responses, please contact Tami Franklin, Director of the\nOARM/OA/ Security Management Division at (202) 564-9218. For questions on ORD\nresponses, please contact Deborah Heckman at 202-564-7274. For questions on OHS responses,\nplease contact Juan Reyes, Acting Associate Administrator, at (202) 564-4188.\n\nAttachments (2)\n\ncc: \tLek Kadeli\n     Juan Reyes\n     John Showman\n     Steve Blankenship\n     Brandon McDowell\n     Eric Lewis\n     Christine Baughman\n\n\n\n\n14-P-0017                                                                                        25\n\x0c                AGENCY\xe2\x80\x99S RESPONSE TO REPORT RECOMMENDATIONS\n\n\nAgreements\n\n                                                                                    Estimated\n              Recommendation/                    High-Level Intended\nNo.                                                                               Completion by\n              Responsible Office                 Corrective Action(s)\n                                                                                  Quarter and FY\n        Responsible Office: OARM\n\n        Work with the appropriate EPA\n        organization to:\n        a. Correct the marking errors\n           in the two originally            The National Security               The NSI Program\n           classified documents             Information Program Team will       Team review will\n           reviewed by the OIG (the         review all corrections and          be completed within\n1 a-c\n           scientific report and security   changes submitted, to ensure        30 calendar days of\n           classification guide).           the markings are appropriately      receipt of a\n        b. Change the classification        placed and at the correct           document.\n           levels for portions of the       classification level.\n           scientific report.\n        c. Correct the erroneous data\n           in the security classification\n           guide.\n                                            The NSI Program Team will\n                                            ensure that CY13 OCA training\n        Responsible Office: OARM            complies with all regulatory\n                                            requirements. (NOTE: EO             Fully compliant\n        Provide annual Original             13526 training requirements are     OCA training will\n 2      Classification Authority            stated in terms of calendar year.   be provided to the\n        training to the Administrator       The OIG response template           Administrator by\n        that complies with the              calls for completion dates by       the end of Q1FY14.\n        regulatory requirements.            fiscal year. As a result, some\n                                            lines in this document refer to\n                                            CY and FY.)\n\n\n\n\n14-P-0017                                                                                          26\n\x0c                                                                                    Estimated\n             Recommendation/                     High-Level Intended\nNo.                                                                               Completion by\n             Responsible Office                  Corrective Action(s)\n                                                                                  Quarter and FY\n\n       Responsible Office: ORD\n                                            ORD will prepare and submit to      The document will\n       Submit to the NSI program\n                                            the NSI Program Team an             be submitted to the\n       team a single, unclassified\n 5.                                         unclassified classification guide   NSI Program Team\n       classification guide that covers\n                                            to cover past and future            by the end of\n       both past and future EPA\n                                            scientific research.                Q1FY14.\n       scientific research to replace the\n       multiple guides.\n\n\n       Responsible Office: OARM\n\n       Assist the appropriate EPA\n       organizations in bringing the\n       derivative documents reviewed                                          The NSI Program\n       by the OIG into compliance                                             Team will complete\n       with EO 13526 and 32 CFR                                               its review\n       2001. For example:                                                     of/assistance with\n       a. Attach or incorporate a           OARM will assist appropriate      the documents\n           source document list if          EPA organizations in bringing     within 30 days of\n           derived from multiple            the derivative documents          receipt. The\n           sources                          reviewed by the OIG into          documents cannot\n       b. Correct the classification        compliance with EO 13526 and be brought into\n 6.\n           blocks to include the name       32 CFR Part 2001. The             compliance without\n           and position or personal         cooperation of the appropriate    the active\n           identifier of the derivative     EPA organizations (ORD, OHS, involvement of the\n           classifier                       and the OIG) is essential for the appropriate EPA\n       c. Declassify proposal reviews       completion of this                organizations.\n           and other documents              recommended action.               OARM anticipates\n           deemed over-classified                                             completion by the\n       d. Convert derivatively                                                end of Q4FY14.\n           classified documents to\n           original classifications\n       e. Ensure consistency in\n           portion markings from\n           sources applied to original\n           documents\n\n\n\n\n14-P-0017                                                                                          27\n\x0c                                                                                  Estimated\n              Recommendation/                   High-Level Intended\nNo.                                                                             Completion by\n              Responsible Office                Corrective Action(s)\n                                                                                Quarter and FY\n\n                                          The NSI computer-based              Supplemental\n                                          refresher training module for       outreach for CY13\n                                          CY13 has been developed,            will be completed\n                                          although not yet disseminated.      and provided to\n       Responsible Office: OARM\n                                          The NSI Program Team, to be         clearance holders\n                                          fully consistent with regulatory    by the end of\n 7.    Provide NSI annual refresher\n                                          requirements, will supplement       Q1FY14. Refresher\n       training that is consistent with\n                                          the training with outreach          training for CY14\n       regulatory requirements.\n                                          material. CY14 computer-based       will be provided to\n                                          refresher training will be fully    clearance holders\n                                          consistent with regulatory          by the end of\n                                          requirements.                       Q1FY15.\n\n       Responsible Office: OARM\n                                          Computer-based derivative           Derivative classifier\n                                          classifier training will meet the   training will be\n 8.    Enforce the requirements in 32\n                                          requirements in 32 CFR              developed by the\n       CFR 2001.71(d) regarding\n                                          2001.71(d)                          end of Q2FY14.\n       derivative classifier training.\n\n\n\nDisagreements\n\n             Recommendation/                                                       Proposed\nNo.                                       Agency Explanation/ Response\n             Responsible Office                                                   Alternative\n\n      Responsible Office: OHS\n                                          (Note: OHS provided the\n                                                                              Note: OHS did not\n      Work with the assistant             following to OARM.) \xe2\x80\x9cOHS\n                                                                              provide to OARM a\n      administrator for OARM to           non-concurs with\n 3                                                                            proposed alternative\n      develop a transparent process for   recommendation No. 3. It is the\n                                                                              to include in this\n      approving classification guides     current EPA position supported\n                                                                              response.\n      within the 30 days specified in     by ISOO that Classification\n      EO 13526.                           Guides are not required.\xe2\x80\x9d\n\n      Responsible Office: OHS\n                                          (Note: OHS provided the             By the end of\n      Work with the assistant             following to OARM.) \xe2\x80\x9cOHS            Q2FY14,\n 4    administrator for OARM to           non-concurs with                    information\n      develop a transparent process for   recommendation No. 4. Under         classified by EPA\n      declassifying, within 60 days,      the current and existing            will be declassified,\n      information classified by EPA.      delegation, it is the               if appropriate,\n\n\n14-P-0017                                                                                        28\n\x0c             Recommendation/                                                          Proposed\nNo.                                        Agency Explanation/ Response\n             Responsible Office                                                      Alternative\n                                           responsibility of OARM to            within 60 days of\n                                           develop a transparent                the NSI Program\n                                           declassification review process      Team\xe2\x80\x99s receipt of\n                                           in accordance with EO 13526.\xe2\x80\x9d        the request.\n\n                                           OARM has a draft process for\n                                           declassifying, within 60 days,\n                                           information classified by the\n                                           EPA. OARM has traditionally\n                                           included OHS in this process as\n                                           a collaborative partner, but\n                                           given OHS\xe2\x80\x99s position and the\n                                           OIG\xe2\x80\x99s finding that\n                                           declassification must be\n                                           timelier, OARM accepts\n                                           responsibility for this\n                                           recommendation and will work\n                                           with subject matter experts to\n                                           provide declassification\n                                           recommendations for the\n                                           Administrator\xe2\x80\x99s approval.\n                                           We fully agree with the intent\n      Responsible Office: OARM             of this recommendation, but\n                                           propose that the reminder be\n      Remind the heads of EPA              sent from the director of the\n      organizations that their staff who   Security Management Division\n      hold a security clearance should     to the NSI representatives\n      have included in their               newly appointed by each\n                                                                                The director of the\n      performance evaluation a critical    organization\xe2\x80\x99s head to act as\n                                                                                Security\n      element or item on the               that organization\xe2\x80\x99s liaison to the\n                                                                                Management\n 9    designation and management of        NSI Program Team. The\n                                                                                Division will send\n      classified information if the        designations were made in\n                                                                                the reminder by the\n      individual is a security manager     response to an August 16, 2013,\n                                                                                end of Q1 FY14.\n      or specialist or has duties that     formal request from the AA,\n      significantly involve creating or    OARM to the heads of EPA\n      handling classified information      organizations. The NSI\n      (e.g., derivative classifiers and    representatives will ensure that\n      NSI representatives).                all cleared employees have the\n                                           appropriate critical element\n                                           added to their PARS.\n\n\n\n\n14-P-0017                                                                                           29\n\x0c                                                                                      Appendix D\n\n  Email From the Information Security Oversight Office\n\nThe following email was submitted by ISOO to the EPA on June 1, 2011.\n\nSubject: EPA Classification Policy\n\nEPA has asked ISOO if it needs to create a classification guide in accordance with Section 2.2 of\nExecutive Order 13526 (\'\'the Order").\n\nFinding: ISOO does not believe that EPA needs to create a classification guide. ISOO does not\nbelieve that EPA is in violation of section 2.2 of the Order. ISOO continues to believe that EPA\nhas strong and sufficient controls in place with regard to its original classification program.\n\nBackground and supporting observations:\n1. In the past seven fiscal years, EPA has originally classified a total of six documents. See FY\nlist at the bottom of this e-mail message.\n2. EPA is one of few agencies granted Original Classification Authority by the President. Under\nthe Order, only the Administrator serves as the OCA and she may not delegate this authority.\nEPA\'s situation is unique in that the OCA may not be delegated and it rarely needs to exercise\nthis OCA authority.\n3. EPA has developed a meticulous and rigorous process for deciding to originally classify\nrecords. ISOO conducted a detailed on-site review in September 2005 that among other items,\ncommended EPA for its decision-making process. At that time, ISOO found that EPA\'s detailed\nprocess ensured that each possible classification decision was well-thought out, rationale, and\ninformed. Further, ISOO found that this process involved all appropriate staff and offices,\nincluding the Office of the Administrator.\n4. Since this detailed on-site audit, ISOO has met yearly with EPA officials to discuss its\nclassified national security program. Additionally, ISOO is in regular communication with EPA\nsecurity staff to discuss EPA\'s classified national security program. Finally, ISOO regularly\nmonitors EPA\'s classified national security program and evaluates EPA\'s reports and responses\nto ISOO data calls and requests.\n5. EPA has strong processes in place to ensure that classification decisions are appropriate and\nin accordance with the Order.\n6. The purpose of Section 2.2 of the Order is to ensure that those agencies that have several\nOCAs and make many classification decisions are doing so in an effective and efficient manner\nthat aids the classification system by ensuring uniformity and consistency. EPA only has one\nOCA; unlike at almost all other agencies, it may not be delegated. Additionally, unlike almost all\nother agencies, it has a very minute amount of classification activity.\n\nConcluding remarks: While the exact letter of the Order seems to suggest that all agencies\ngranted OCA authority by the President must have classification guides, there is still room for\njudgement (sic) and common sense. In our view, looking at the program and its activity in its\n\n\n14-P-0017                                                                                         30\n\x0centirety, EPA\'s program is fully functioning and has the appropriate checks and balances in\nplace to ensure that its classification program is consistent and effective.\n\n2010-\n0riginal-0\nDerivative-16\n\n2009-\n0riginal- 0\nDerivative-4\n\n2008-\n0riginal-3\nDerivative-10\n\n2007-\n0riginal-0\nDerivative-13\n\n2006-\n0riginal-0\nDerivative-46\n\n2005-\n0-2\nD-5\n\n2004-\n0-1\nD-0\n\n\n\n\n14-P-0017                                                                                     31\n\x0c                                                                                Appendix E\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Administration and Resources Management\nPrincipal Deputy Assistant Administrator for Research and Development\nAssociate Administrator for Homeland Security\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nPrincipal Deputy Assistant Administrator, Office of Administration and Resources Management\nDirector, Office of Policy and Resource Management, Office of Administration and\n       Resources Management\nDeputy Director, Office of Policy and Resource Management, Office of Administration and\n       Resources Management\nDirector, Office of Regional Operations\nDirector, Office of Administration, Office of Administration and Resources Management\nDirector, Security Management Division, Office of Administration and Resources Management\nChief, Personnel Security Branch, Office of Administration and Resources Management\nTeam Leader, National Security Information Program Team, Office of Administration and\n       Resources Management\nDirector, National Homeland Security Research Center, Office of Research and Development\nAudit Follow-Up Coordinator, Office of the Administrator\nAudit Follow-Up Coordinator, Office of Administration and Resources Management\nAudit Follow-Up Coordinator, Office of Research and Development\nAudit Follow-Up Coordinator, Office of Policy and Resource Management, Office of\n       Administration and Resources Management\n\n\n\n\n14-P-0017                                                                                32\n\x0c'